Open grotewortel opened 3 months ago
The CIS benchmark for no service dhcp has a reference link to an IOS 16 document. I expect the actual verification commands were not updated for IOSXE 17. There are more problems. These are some fixes for the issues I identified so far. They still check what the CIS benchmark requires to be done, so not changes there.
# general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include dhcp", "2.1.4 Set 'no service dhcp'", 1, global_report_output)
general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no service dhcp$", "2.1.4 Set 'no service dhcp'", 1, global_report_output)
# general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include identd", "2.1.5 Set 'no ip identd'", 1, global_report_output)
general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no ip identd", "2.1.5 Set 'no ip identd'", 1, global_report_output)
# general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include service pad", "2.1.8 Set 'no service pad'", 1, global_report_output)
general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no service pad$", "2.1.8 Set 'no service pad'", 1, global_report_output)
Some more:
# general_parsers.compliance_check_with_expected_empty_output(connection, "show running-config | include bootp", "2.1.3 Set 'no ip bootp server'", 1, global_report_output)
general_parsers.compliance_check_with_expected_output(connection, "show running-config all | include no ip bootp server$", "2.1.3 Set 'no ip bootp server'", 1, global_report_output)
# routing_parsers.compliance_check_source_route(connection, "show running-config | include ip source-route", "3.1.1 Set 'no ip source-route'", 1, global_report_output)
routing_parsers.compliance_check_source_route(connection, "show running-config all | include no ip source-route", "3.1.1 Set 'no ip source-route'", 1, global_report_output)
Hi Jan,
I'll look into this sometime next week. Although the tool is very agnostic to the benchmark document command recommendation, I do agree they have some mishaps. I'll run through your recommendations on my lab next week.
Hi Jan,
Sorry for the delayed fix -- I've been busy studying for a certification exam. I've patched the script with your recommendations. It should now accurately detect the specified services. The expected empty output parser is also modified to handle the "no" prefix properly.
def compliance_check_with_expected_empty_output(connection, command, cis_check, level, global_report_output):
command_output = ssh_send(connection, command)
if not command_output:
compliant = True
elif command_output.split(" ")[0].lower() == "no":
compliant = True
Thank you for the fix recommendations. I've added you to the README "Special Thanks To" section for your contributions :D I really appreciate it.
Hi, I have a problem with CIS Benchmark 2.1.4 Set 'no service dhcp' (Automated) It looks like the benchmark is a bit naive and the defaults of Cisco of showing dhcp service has changed somewhere in time.
The CIS benchmark states this:
There are 2 problems with this. First of all,
no service dhcp
shows up in the output, where the benchmark expects it to be empty.Secondly, virtual cloud based routers may have an IP address assigned by DHCP. This is the second dhcp occurency in the output above and will result in failure of the check also.
The good news is, only the check from the CIS benchmark is incomplete. The benchmark is fortunately quite clear about the expected configuration. The configuration is correct, but the check is not.
One of the following command can be used to check the configuration and will probably be more version independent:
I am using a virtual Cisco 8000V with IOS XE 17.13.1a
Please advise.
Thanks, Jan